-
-
Notifications
You must be signed in to change notification settings - Fork 424
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[IMP] auth_saml: only write value that changes
When using mapping, not writing the value systematically avoids getting security mail on login/email changes when there is no change. Also use SQL for blanking passwords avoids the security update mails.
- Loading branch information
1 parent
def9106
commit 2468d5e
Showing
3 changed files
with
53 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,9 @@ | ||
## 16.0.1.0.0 | ||
## 17.0.1.1.0 | ||
|
||
Initial migration for 16.0. | ||
When using attribute mapping, only write value that changes. | ||
No writing the value systematically avoids getting security mail on login/email | ||
when there is no real change. | ||
|
||
## 17.0.1.0.0 | ||
|
||
Initial migration for 17.0. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -133,24 +133,25 @@ def test__compute_sp_metadata_url__provider_has_sp_baseurl(self): | |
self.assertEqual(self.saml_provider.sp_metadata_url, expected_url) | ||
self.saml_provider.sp_baseurl = temp | ||
|
||
def test__hook_validate_auth_response(self): | ||
# Create a fake response with attributes | ||
fake_response = DummyResponse(200, "fake_data") | ||
fake_response.set_identity( | ||
{"email": "[email protected]", "first_name": "New", "last_name": "User"} | ||
) | ||
|
||
# Add attribute mappings to the provider | ||
def _add_mapping_to_provider(self): | ||
"""Add mapping to the provider""" | ||
self.saml_provider.attribute_mapping_ids = [ | ||
(0, 0, {"attribute_name": "email", "field_name": "login"}), | ||
(0, 0, {"attribute_name": "first_name", "field_name": "name"}), | ||
(0, 0, {"attribute_name": "mail", "field_name": "login"}), | ||
(0, 0, {"attribute_name": "givenName", "field_name": "name"}), | ||
( | ||
0, | ||
0, | ||
{"attribute_name": "nick_name", "field_name": "name"}, | ||
), # This attribute is not in attrs | ||
] | ||
|
||
def test__hook_validate_auth_response(self): | ||
# Create a fake response with attributes | ||
fake_response = DummyResponse(200, "fake_data") | ||
fake_response.set_identity( | ||
{"mail": "[email protected]", "givenName": "New", "last_name": "User"} | ||
) | ||
self._add_mapping_to_provider() | ||
# Call the method | ||
result = self.saml_provider._hook_validate_auth_response( | ||
fake_response, "[email protected]" | ||
|
@@ -261,6 +262,17 @@ def test_login_with_saml(self): | |
# User should now be able to log in with the token | ||
self.authenticate(user="[email protected]", password=token) | ||
|
||
def test_login_with_saml_mapping_attributes(self): | ||
"""Test login with SAML on a provider with mapping attributes""" | ||
self.assertEqual(self.user.name, "User") | ||
self.assertEqual(self.user.login, "[email protected]") | ||
self._add_mapping_to_provider() | ||
self.test_login_with_saml() | ||
# Changed due to mapping and FakeIDP returning another value | ||
self.assertEqual(self.user.name, "Test") | ||
# Not changed | ||
self.assertEqual(self.user.login, "[email protected]") | ||
|
||
def test_disallow_user_password_when_changing_ir_config_parameter(self): | ||
"""Test that disabling users from having both a password and SAML ids remove | ||
users password.""" | ||
|